Skip to content
Add csrf protection to your Wanda application
Crystal
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
spec
src
.gitignore
.travis.yml
LICENSE
README.md
shard.yml

README.md

Build Status GitHub release

wanda-csrf

Adds CSRF protection to your Wanda application.

Requires a session middleware to be initialized first.

Installation

Add this to your application's shard.yml:

dependencies:
  wanda-csrf:
    github: TheEEs/wanda-csrf

Usage

Basic Use

require "wanda-csrf"

add_handler CSRF.new

You can also change the name of the form field, header name, the methods which don't need csrf,error message and routes which you don't want csrf to apply. All of these are optional

require "wanda-csrf"

add_handler CSRF.new(
  header: "X_CSRF_TOKEN",
  allowed_methods: ["GET", "HEAD", "OPTIONS", "TRACE"],
  allowed_routes: ["/api/somecallback"],
  parameter_name: "_csrf", 
  error: "CSRF Error" 
)

If you need to have some logic within your error response, you can also pass it a proc (a pointer to a function)

require "wanda-csrf"

add_handler CSRF.new(
  header: "X_CSRF_TOKEN",
  allowed_methods: ["GET", "HEAD", "OPTIONS", "TRACE"],
  allowed_routes: ["/api/somecallback"],
  parameter_name: "_csrf", 
  error: ->myerrorhandler(HTTP::Server::Context)
)

def myerrorhandler(env)
  if env.request.headers["Content-Type"]? == "application/json"
    {"error" => "csrf error"}.to_json
  else
    "<html><head><title>Error</title><body><h1>You cannot post to this route without a valid csrf token</h1></body></html>"
  end
end
You can’t perform that action at this time.